NSA Power Grab: New Legislation Would Give It Broad Powers To Spy On 'Critical' Private Networks

from the doesn't-pass-the-laugh-test dept

Well, we saw this one coming a mile away. Last week, in talking about the current fight in the Senate over the new cybersecurity legislation that's making the rounds, we noted that the behind-the-scenes story appeared to be that the NSA was going to make a power play to try to get responsibility for cybersecurity handed to it, rather than Homeland Security. Over the last few days, it's become clear that's exactly what's going on. While neither the NSA nor DHS inspire much confidence when it comes to heading up cybersecurity, the NSA plan is really crazy. It's expected that Senator McCain will be introducing legislation shortly that would give cybersecurity responsibility to the NSA.

McCain is positioning his version of the bill as one that focuses on "a cooperative relationship with the entire private sector through information sharing, rather than an adversarial one with prescriptive regulations." However, reports are that McCain's version involves a plan that the NSA has been aggressively lobbying for to give it access to networks deemed "critical." The NSA says that it wants to monitor these networks in case of attack so it can spring into action.

However, given the NSA's other mandates (spying!) this certainly has raised some fairly significant concerns. Should every private company running a network deemed critical automatically be required to install a special NSA spying box? Even the White House and the Justice Department (no strangers to over aggressive monitoring) have pushed back that this would be "unprecedented government" intrusion into the civilian internet. It's apparently gotten so bad, that the Obama administration has privately slapped down NSA boss General Keith Alexander (last heard talking about how Anonymous was going to shut down powerlines) for "advocating for something beyond that, that is undermining the commander in chief."

Of course, the administration can't stop former NSA boss Mike McConnell from running around spreading fear mongering stories about how the entire internet is at risk if we don't give the NSA unprecedented spying powers. Left out of his talks on this matter is that, not only has he been making these claims about how the internet is on the verge of collapse if the NSA doesn't get these powers for many, many years (without any evidence to show that it's true), but he's also now employed by Booz, Allen as a VP -- which is relevant, because Booz is already profiting massively from all this fear mongering, by getting hundreds of millions of dollars in federal contracts to "help" the government deal with the scary threats of the internet.

The NSA’s claims are premised on the dual assumptions that the private sector is not actively defending its systems and that only the NSA has the skills and the technology to do effective cybersecurity. The first is demonstrably wrong. The Internet and telecommunications companies are already doing active defense (not to be confused with offensive measures). The Tier 1 providers have been doing active defense for years – stopping the threats before they do damage – and the companies have been steadily increasing the scope and intensity of their efforts.

The second assumption (that only the NSA has the necessary skills and insight) is very hard for an outsider to assess. But given the centrality of the Internet to commerce, democratic participation, health care, education and multiple other activities, it does not seem that we should continue to invest a disproportionate percentage of our cybersecurity resources in a military agency. Instead, we should be seeking to improve the civilian government and private sector capabilities.

Dempsey goes on to say that the NSA has already been helping Tier 1 providers by sharing its "secret sauce" to protect them against attack without having to have full access to the networks, and it seems silly that a process like that can't continue and be quite effective without giving up all privacy. Similarly, Jerry Brito, who has been following all of this very closely, notes that it's somewhat crazy to think that we can't just continue with the NSA assisting at arms-length without giving them full access to private networks.

Brito further highlights that there's a reason why we have civilian law enforcement for domestic issues, not military officials -- noting that (while they don't always succeed), civilian law enforcement is used to working within "an environment where constitutional rights apply and to use force only as a last resort." That is simply not true of the military or the NSA, whose operations usually involve issues outside the US, where the Constitution does not apply. And yes, they've certainly blurred that domestic/foreign line over the years, but that's no reason to go even further and give the military more power of the private domestic internet.

Funny, the NSA has been responsible for electronic security and crypto equipment for well over the past 30 years.

It's the NSA's primary function, no they do not 'spy', that is your CIA and FBI, and your Fed's. NSA makes equipment for signals encryption, that has allways been their expertise. NSA is in a far better position in this field than homeland security. Also the NSA produces most if not all NATO cypto machines.

Whomever connects a system deemed "critical" to the internet is obviously incompetent and should find a different career.

Thats why they don't do it.

I guess you have not seen the range of equipment with the letters NSA printed on it ? and you probably never will.

They have been building, designing, and modifying this type of equipment since well before the internet came along..

Re:

Re:

You aren't thinking in the long term. These "great solutions" are multi-layered schemes that are designed to pay off a number of people in the long term.

The first to get paid are the lobbyists and their political allies.

Next are the CEOs who had already set up a business for privatizing the now government mandated legal solution.

Then you have activist groups - both grass roots and astroturf - which are paid to stir up trouble to either expand or remove the new policies after they've been abused. (For the Children!)

After that are the lawyers and judges who have to deal with the resulting fallout from people unknowingly violating the laws. On both sides of the now controversial issue.

It goes on and on down the line until you finally get to the scruffy looking bum on the corner selling USB keys with encryption software. However you never know if he's an underground gray hat, or an FBI agent working on a sting operation.

Really?!?

The NSA barely has enough resources to take care of their own business, how about if they focus on helping the federal government clean up and secure their critical assets, then worry about what else they can spy on.

Pudding!

Dear NSA Fud-master:
Please prove it. Seriously, shut down the power grid from your desk--the NSA must have at least as many members as Anonymous, and surely they have computer. So, you've got the same resources as Anonymous. Shut down somebody's power grid via the internet--it'll make great press-copy, and people will believe you.
Remember though: pics or it didn't happen.

Re:

As someone who worked under the NSA for a while, I can tell you they most certainly do spy. It's even obvious from their mandate in Executive Order 12333: "Collect (including through clandestine means), process, analyze, produce, and disseminate signals intelligence information and data for foreign intelligence and counterintelligence purposes to support national and departmental missions"

Re:

Your statements are made as though they were facts ... however, I doubt you are qualified or possess sufficient clearance to make these statements.

You claim that critical systems are not connected to the internet. If this is true, then why would anyone feel it necessary to monitor said system - you know - in case it is attacked by uber cyber hackerz? Must be an inside job they are concerned about then?

+ NDAA

Re: Pudding!

The increase government control over everything pundits love to cry "ANON will shut down the power grid" !!!1111

This is stupid for many reasons, expounded upon at length in many different places. Rather than do the chicken little thing, why not begin a disconnection strategy. Maybe because actually doing something about it would remove the scary what-if crap they like to sling around in order to get funding for their products seeking a market.

First

Re:

Their great solution makes it so much easier to take down everything. If you have 3 Million different set ups for security you have to crack each one individually. If you have one government solution everyone has to use, you only have one system to break. Its the reasons I find Iran's centrally monitored and controlled internet amusing.

Governments in general, and the U.S. government in particular, are purely self serving. Their actions and laws and attempts to keep the public ignorant are intended to serve the government-industrial complex.

Critical Systems = ...

Re: Re:

And yes, industrial control systems do sometimes get connected to the internet.

Indeed they do. However, and I think this is the point that the AC was making, they most emphatically should not. Further, that entities who do are engaging in what amounts to gross incompetence.

The purported purpose for the NSA to have the power they want is better accomplished with less risk to liberty by making it illegal to connect "critical" systems to the internet with heavy penalties for doing so.

I think it's safe to presume that 5,408 is just the number they chose to report, that's a tiny subset of the number they're aware of, and that in turn is a tiny subset of the number that actually happened, and... this is just NASA, one federal agency.

I think the NSA could keep itself busy for the next 20 years trying to deal with this mess.

Re:

Unconstitutional.

No government agent can search anything without evidence of probable cause of a crime having already been committed and a warrant from a judge specifying exactly what evidence is being searched for and the location where it can be found.

Disrespecting the constitution is insulting every soldier that ever died for America.

Re: Unconstitutional.

No government agent can search anything without evidence of probable cause of a crime having already been committed and a warrant from a judge specifying exactly what evidence is being searched for and the location where it can be found.

While this has never been true as a blanket statement (there have always been legal exceptions) it is even less true now than before 9/11.

If you said "no government agent should be able to..." then I'd agree 100%.

Re: Unconstitutional.

Except if corporations are involved. Administrative warrants can be issued without probable cause, merely because a regulatory body wants to poke around. These started back in the Progressive Era because people were worried about corporations getting too much power.

If your data is held by a corporation, however, this is problematic.

The Courts have not ruled that the Fourth Amendment applies to corporations. If they did, then it would make it harder to regulate corporations, but it would protect individuals' privacy more.

Bill doesn't seem to be as bad as feared...

While I certainly think that we should continue to be skeptical and pay close attention, the McCain bill as introduced is not nearly as bad as this article feared. It's actually better on privacy than the DHS version that the majority is pushing.

Re: Re:

It's rather obvious to anyone with half a brain that the first step in securing a critical system is to sever it entirely from the internet. However, as Stuxnet demonstrated, just because something is offline doesn't mean it's secure.

Critical systems should have all aspects of their security dealt with, including physical and software security of both the system itself and any controlling system.

Opening up these systems to a third party for constant monitoring--most likely over the internet--is mindbogglingly stupid.

Re: Re: Pudding!

Re: Re: Unconstitutional.

except that said corporations are some of the larger threats to said privacy...

corporations are a menace (either in fact or potential, depending on various things), governments not under threat of uprising if they mishandle things are also a menace.

both rapidly get too large for individual citizens to have any meaning or value to them. feudalism or similar arrangements can mitigate this Somewhat (provided one avoids the stupidity that is serfdom) for governments, but that, of course, has it's own issues.

the USA is even worse off... you have a government that is far too large (in several senses of the word) basically acting at the behest of a collection of corporations which are Also far too large, in a system that is actively designed to prevent change.

that's the point in representative democracy by the way: stability. maintaining the status quo. ensuring the public don't NOTICE the loss of liberty as it slides in bit by bit, and cannot easily change things if they do.

the moment you introduce political parties into the equation the public good ceases to be relevant, being replaced by the public whim. introduce corporations and, in short order, that also goes out the window in favour of the corporate whim.

there was more to this thought but i realised i was starting to lose teh plot.
... perhaps i shouldn't try to make coherant points at 5am before sleeping

Can U.S. Spy Agencies Sharing Intelligence with U.S. Corporations Create a Corporate/Police State?

NSA under Bush II spied on Americans’ private phone and email communications without—warrants—collecting vast amounts of electronic communications. Americans are still upset. Last year Rep. Mike Rogers (R-MI) introduced H.R. 3523 that if passed would allow NSA to (Partnership) share with U.S. Corporations—classified (threat assessment information) so corporations can better defend against espionage and cyber crime. Understandably Americans are concerned NSA will provide their private information to U.S. corporations that embrace NSA’s information sharing, including to their corporate employers e.g., disclose their associations, private finances, medical records, what political and other organizations they belong or support; even protest demonstrations they attended. If NSA provides that kind of private employee information to (their corporate-partnership employers) it is foreseeable that will cause corporations to fire some employees; reject certain job applicants. Importantly, how will terminated employees and rejected job applicants appeal or defend against an NSA alleged threat assessment or other information NSA provided a corporate employer?

Before Hitler had total power, during 1930’s Hitler’s private Gestapo worked with German Corporations and Government Police. Once Hitler came to power German Citizens that did not belong to the Nazi Party could not get a job. Soon perhaps, U.S. Corporations will require permission from their partner (NSA), before they can hire a job applicant or keep current employees based on NSA so-called threat assessments.

After the arson burning of the German Parliament building, private corporations that supported the Nazi Party helped Hitler get passed legislation that suspended provisions of the German Constitution that protected Citizens’ freedoms and civil liberties. Corporations secured greater power; Citizens lost their rights.

If NSA provides U.S. Citizens’ private information to its corporate partners, it is necessary to consider NSA’s working relationship with Homeland Security. In mid-January 2012 Homeland Security announced the National Operations Center (NOC) received permission from Washington to monitor journalists and retain data on users of social media and online networking platforms. Homeland Security spying, tracking Americans will result in Citizens not visiting and posting comments on websites? Expect millions of Americans under constant police/government surveillance will increasingly not speak out; not attend political meetings or protest demonstrations out of fear they might be arrested, lose their job; be put on a government NO Hire List, especially if they work for a government agency or contractor—that happened in Nazi Germany.

If you are concerned that NSA, the U.S. Military, Homeland Security may share your private information with Corporations, consider Government’s recent creation of Fusion Centers; U.S. Government has laid the groundwork for the covert infiltration of Americans. Since 9/11 federal government has established across the nation more than 72 Fusion Centers. The Centers were originally established to improve the sharing of anti-terrorism intelligence among different state, local and federal law enforcement agencies. But since has expanded with encouragement of federal government to pursue all crimes and hazards. Fusion Centers now pursue for analysis not just criminal and terrorist information, but any information that can be derived from police, public records and private sector data about Americans.

Fusion Centers increasingly involve components of the U.S. Military in addition to other government entities to spy on U.S. Citizens. Fusion centers heavily rely on local and neighborhood informants for information that is shared with Local, State, and Federal Police Agencies. Recently Homeland Security began sharing more classified Military information with local Fusion Centers, perhaps a mistake; historically local police have not kept secrets well. Some Fusion Centers take advantage of ambiguous lines of authority to manipulate differences in federal, state and local laws to maximize information collection. Increasingly (private security companies and their operatives) work so closely with law enforcement and Fusion Centers—providing and exchanging information about Americans, they appear merged with government/police. Fusion Centers exchange information with (select U.S. private sector companies) that has enabled fusion centers to escape accountability and public oversight.

Before Hitler’s private Gestapo was consolidated with the German Government in 1934 his Gestapo worked with corporations to arrest Citizens and confiscate their private property with no legal authority. In 1934 the Gestapo was placed under SS leader Heinrich Himmler Chief of German Police. In 1939 all German Police agencies were put under the control of the "Reich Main Security Office” the equivalent of U.S. Homeland Security.

While the U.S. press has on occasion covered Fusion Centers invading the privacy of Citizens, media missed Fusion Centers’ involvement in criminal and civil asset forfeitures. It was problematic law enforcement and quasi private government contractors would gain wider access to Fusion Center data to secure evidence to arrest Americans and or civilly forfeit Americans’ homes, businesses and other assets under Title 18USC and other laws to keep part of the assets as a forfeiture commission.

U.S. Government wants the power without a warrant, to introduce as evidence in criminal prosecutions and government civil trials, any phone call record, email or Internet activity. Alarmingly, that would open the door for Police to take out of context any innocent—hastily written email, fax or phone call record to allege a crime or violation was committed to cause a person’s arrest, fines and or civil asset forfeiture of their property. There are more than 350 laws and violations that can subject property to government asset forfeiture: Government civil asset forfeiture requires only a civil preponderance of evidence for police to forfeit property, little more than hearsay.

If the Justice Department has its way, any information the FBI derives from (no warrant) acquisition of Web Server Records: User Internet Activity, emails; and phone records can be used by the FBI for (fishing expeditions) to issue subpoenas in hopes of finding evidence to prosecute Citizens for any alleged crime or violation—circumventing the Fourth Amendment. Consider: neither Congress nor the courts—determined what NSA electronic surveillance, perhaps illegal under Bush II, could be used by police or introduced into court by government to prosecute U.S. Citizens criminally or civilly. If U.S. Justice Department is permitted (No-warrant) surveillance of all electronic communications, it is problematic state and local law enforcement agencies and private government contractors will want access to prior Bush II /NSA and other government (retained electronic records) of Internet activity; emails and phone call information to secure evidence to arrest Americans and or civilly forfeit their homes, businesses and other assets under Title 18USC and other laws. Of obvious concern, what happens to fair justice in America if police become dependent on “Asset Forfeiture” to help pay their salaries and budget operating costs?

The “Civil Asset Forfeiture Reform Act of 2000” (effectively eliminated) the “five year statue of limitations” for Government Civil Asset Forfeiture: the statute now runs five years (from the date police allege they learned) an asset became subject to forfeiture. It is foreseeable should (no warrant electronic surveillance) be approved police will relentlessly sift through Citizen and businesses’ (government stored Internet data) not limited to emails and phone communications to discover alleged crimes or civil violations. A corrupt/despot U.S. Government may too easily use no-warrant-(seized emails, Internet data and phone call information) to blackmail Americans, corporations and others in the same manner Hitler utilized his passed police state laws to extort members of parliament, corporations and the wealthy to support passage of Hitler’s dictatorship legislation, e.g. the 1933 Discriminatory Decrees that suspended the Constitutional Freedoms of German Citizens. A Nazi Government threat of Civil Asset Forfeiture of an individual or corporation’s assets was usually sufficient to ensure Nazi support.

Under U.S. federal civil forfeiture laws, a person or business need not be charged with a crime for government to forfeit their property. Most U.S. Citizens, property and business owners that defend their assets against Government Civil Asset Forfeiture claim an “innocent owner defense.” This defense can become a criminal prosecution trap for both guilty and innocent property owners. Any fresh denial of guilt made to government when questioned about committing a crime “even when you did not do the crime” may “involuntarily waive” a defendant’s right to assert in their defense—the “Criminal Statute of Limitations” past for prosecution; any fresh denial of guilt even 30 years after a crime was committed may allow Government prosecutors to use old and new evidence; including information discovered during a Civil Asset Forfeiture Proceeding to launch a criminal prosecution. For that reason many innocent Americans, property and business owners are reluctant to defend their property and businesses against Government Civil Asset Forfeiture.

Re: waiving Criminal Statute of Limitations: see USC18, Sec.1001, James Brogan V. United States. N0.96-1579. U.S. See paragraph (6) at: